Back to 0xNoah's contests

Rubicon contest - 0xNoah's results

An order book protocol for Ethereum, built on L2s.

General Information

Platform: Code4rena

Start Date: 23/05/2022

Pot Size: $50,000 USDC

Total HM: 44

Participants: 99

Period: 5 days

Judge: hickuphh3

Total Solo HM: 11

Id: 129

League: ETH

Rubicon

Findings Distribution

Researcher Performance

Rank: 45/99

Findings: 1

Award: $142.29

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryRubicon

Findings Information

🌟 Selected for report: xiaoming90

Also found by: 0xNoah, PP1004, hubble, pauliax, reassor, sashik_eth, shenwilly, sseefried

Labels

bug
duplicate
3 (High Risk)

Awards

142.2857 USDC - $142.29

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-rubicon/blob/8c312a63a91193c6a192a9aab44ff980fbfd7741/contracts/rubiconPools/BathToken.sol#L629-L653

Vulnerability details

Impact

Due to rewardsVestingWallet not being set, the condition in the Proof of Concept below will always evaluate to false, thus resulting in the rewards funds never being released - leading to asset loss for beneficiary.

Proof of Concept

if (rewardsVestingWallet != IBathBuddy(0)) { // always false
    rewardsVestingWallet.release(
        (token),
        receiver,
        sharesWithdrawn,
        initialTotalSupply,
        feeBPS
    );
}

Tools Used

None

Initialize rewardsVestingWallet in constructor or a separate setter function.

#0 - bghughes

2022-06-03T23:34:13Z

Duplicate of #168

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter